Configuring Enterprise Server Auditing

You can configure the audit facility to use syslog to create audit events and then specify where the events are sent. To enable auditing, you need to do the following:

  1. A syslog facility is required to listen on a specific port.
  2. The security configuration for the service you want to audit (for example, MFDS or a region) must be configured to generate audit events.
  3. The audit.cfg file must be configured to send audit events to the syslog port.

Configuring the External Security Manager

To generate audit events from MFDS or from a region, click Create audit events for the relevant External Security Manager (ESM). This is in the SAF Security Facility Configuration group for the relevant ESM as follows:

  • To enable auditing for MFDS, this option is in the MF Directory Server tab in the security options.
  • To enable auditing for a region, this option is available in the SAF configuration for the security manager that is in use for the region.
Note: If the region is configured to use the Default External Security manager (ESM) then this option located in the SAF configuration in the Default ES Security tab.

If the region is configured to use a specific ESM the SAF configuration can be found in the Security tab for the particular region.

In the relevant Security Facility, click Create audit events, and then click Apply.

Note: You must first create and configure the audit.cfg file. Without this file, auditing fails and the security manager is not initialized.

Creating and Configuring audit.cfg

Configuration is specified in the audit.cfg file, which you must create in the bin directory of your Enterprise Server installation, which by default is $COBDIR.

The configuration file follows the standard INI file format containing sections, properties and values.

The audit.cfg file must be configured to point to the machine and port that is running the syslog facility.

The configuration file is read when the audit process is initialized. Changes made to the configuration file are not picked up by the audit process that is running. You must restart the audit process to reload a modified configuration file.

The following is an example of the audit.cfg configuration file:

; The type of emitter used to output audit events, valid values [syslog]|[oldaudit].

; This section is for configuring the syslog emitter
; The hostname and port of the syslog collector, where the syslog packets are sent.
; The hostname may be a host name string, dotted IPv4 or hex IPv6 notation.
; If you are using TLS, the hostname value may be used for hostname verification. See serverCertHostname for more information.

; protocol: Specifies the protocol syslog should use, valid values [TCP]|[TLS].

; All configuration  values for syslog below this point are optional:
; tzKnown: If the timezone of this machine is known, this value should be 1. 
; If not known, it should be 0.
; isSynced: If this machine's clock is synced to a known external source, this must be set to 1. 
; Otherwise, it must be 0.
; syncAccuracy: The accuracy to which the machine's clock is synced. This is an integer, in 
; microseconds, that the machine's clock may be off.
; ip: The IP address of this machine. This may be a comma-delimited list, in the case of 
; multi-homed devices.

; maxRetryTime: Configure how long (in seconds) the audit process should spend attempting to re-send data if a failure occurs. 
; The application will continue retrying until a time greater than this value has elapsed. 
; Negative values mean an infinite timeout. Defaults to 1. 

; This section is for TLS configuration, which may be used by syslog.
; CARootFile: This is the certificate authority root file the client uses when connecting to verify 
; the server's certificate.
CARootFile=C:\Program Files (x86)\Micro Focus\DemoCA\private\CARootcert.pem

; All configuration values for TLS below this point are optional
; verifyServer: Specifies whether the client should verify the server's certificate or not. 
; Valid values: [true]|[false]. Default value is true.
; clientCertificate: The full file path to the client's certificate:
clientCertificate=C:\Program Files (x86)\Micro Focus\DemoCA\clicert.pem
; keyfile: The full file path to the client's key file:
keyfile=C:\Program Files (x86)\Micro Focus\DemoCA\clikey.pem
; keyfilePassphrase: If the keyfile has a passphrase, it is specified here:
; serverCertHostname: The value that is used to compare against the Hostname on the server's certificate. 
; If this is not specified (not present/commented out), by default the hostname specified in the syslog section is used. 
; If a value is not specified, for example 'serverCertHostname=', then the hostname verification is disabled.